Better reporting for signature algorithm mismatch?
Jochen Bern
Jochen.Bern at binect.de
Thu Dec 5 21:16:50 AEDT 2024
On 04.12.24 19:47, Brian Candler wrote:
> debug1: Offering public key: /Users/brian/.ssh/id_rsa RSA [...]
> debug1: send_pubkey_test: no mutual signature algorithm <<<< *THIS*
>
> I wonder if there could there be some way to highlight the "no mutual
> signature algorithm" message more prominently in normal operation?
Wouldn't the extra output, even in cases where a different keypair
succeeds later on, threaten to hose applications that expect the
connection to be transparent (or fail completely)? As in, rsync, git, etc.?
In general, the client may try a number of keypairs and every try has a
number of possible reasons to fail, from cryptalgorithm-related ones
(including "cipher (here: RSA) rejected" and "hash (here: SHA2
variant(s)) rejected") to "unknown keypair" to less-frequent ones (like
"pubkey has a ForceCommand option and I can't execute that" etc.). I
don't think that we should try to triage these cases into "interesting
ones" that do emit a(n interim) warning, and the rest that doesn't.
*If* the login fails *altogether*, however, doing a "post mortem" and
adding a line to the effect of "oh, by the way, *one* of the keypairs
failed only because of rare condition XY" could still be helpful.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4336 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20241205/c53d4d5a/attachment.p7s>
More information about the openssh-unix-dev
mailing list